Skip to main content

Eclipse Jetty

2 CVEs product

Monthly

CVE-2026-2332 Maven CRITICAL PATCH GHSA Act Now

HTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/back-end request boundaries by abusing quoted-string chunk extensions. Jetty incorrectly terminates chunk-extension parsing at a CRLF located inside an unterminated quoted-string (e.g. `1;a="`) rather than rejecting it, so attacker-controlled bytes are reinterpreted as a second, smuggled request on the same TCP connection. Publicly available exploit code exists (a working Python PoC ships in the GHSA advisory), though EPSS is very low (0.03%, 9th percentile) and the issue is not on CISA KEV.

Code Injection Request Smuggling Eclipse Jetty
NVD GitHub VulDB HeroDevs
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-5795 Maven HIGH PATCH GHSA This Week

Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.

Privilege Escalation Eclipse Jetty
NVD GitHub HeroDevs VulDB
CVSS 3.1
7.4
EPSS
0.0%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

HTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/back-end request boundaries by abusing quoted-string chunk extensions. Jetty incorrectly terminates chunk-extension parsing at a CRLF located inside an unterminated quoted-string (e.g. `1;a="`) rather than rejecting it, so attacker-controlled bytes are reinterpreted as a second, smuggled request on the same TCP connection. Publicly available exploit code exists (a working Python PoC ships in the GHSA advisory), though EPSS is very low (0.03%, 9th percentile) and the issue is not on CISA KEV.

Code Injection Request Smuggling Eclipse Jetty
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.

Privilege Escalation Eclipse Jetty
NVD GitHub HeroDevs VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy